Large Scale Payment Data Breaches Highlight Need for U.S. Card Issuers and Retailers to Move More Quickly to Smart Chip Payment Technology

Published 3:34 PM ET Fri, 24 Jan 2014
Globe Newswire

PRINCETON JUNCTION, N.J., Jan. 24, 2014 (GLOBE NEWSWIRE) -- Recent large-scale payment data breaches are contributing to the significant card fraud problem in the U.S. The U.S. loses $5 billion a year to card fraud, accounting for about half of global card fraud despite only generating about a quarter of the total volume of purchases and cash1. This is due to the ease with which criminals can obtain credit and debit card account information from insecure magnetic stripe cards and create counterfeit cards. As a result, the U.S. is quickly becoming a fraud target, as most of the rest of the world (80+ countries) has already made the move to chip-based payment cards.

Now, the U.S. Federal Bureau of Investigation has taken notice. According to Reuters, the FBI "distributed a confidential, three-page report to retail companies last week describing the risks posed by 'memory-parsing' malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines found in store checkout aisles." The FBI said in its report:

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it… The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors."

Smart chip payment technology, also referred to as EMV, is an open-standard set of specifications for smart card payments and acceptance devices. The specifications were developed to define a set of requirements to ensure interoperability between chip-based payment cards and terminals. Smart chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.

First, the chip card includes a secure microprocessor chip that stores payment card data placed there by the issuer during the personalization process and can perform cryptographic processing during a payment transaction. This payment data is stored securely in the card's chip and is impervious to access by unauthorized parties. The microprocessor chip is used instead of the magnetic stripe during each EMV payment transaction and helps to prevent card skimming and card cloning, the most common ways magnetic stripe cards are compromised and used for fraudulent activity.

Second, in a chip card transaction, the card is authenticated as being genuine, and the transaction generates a dynamic data element or cryptogram that is authenticated online or offline, according to issuer-determined risk parameters.

Third, even if fraudsters are able to steal account data from chip transactions, this data contains a one-time use cryptogram and does not include other data needed for magnetic stripe transactions. This means that the data cannot be used to create a fraudulent transaction in an EMV chip or magnetic stripe environment.

As described above, each of these transaction security features helps to prevent fraudulent transactions. In addition, the inability to create counterfeit cards with stolen chip card data will greatly devalue the data retailers accumulate from payments transactions, making this data less valuable for criminals to steal.

While the U.S. is one of the last countries to migrate to chip cards, the major payment brands American Express, Discover, MasterCard and Visa have announced their plans for moving to a smart chip-based payments infrastructure in the U.S. Acquirers have met the April 2013 deadline for processing chip-based transactions and have started deploying EMV to their merchants as part of the normal upgrade path. Next, card issuers and retailers will face a fraud liability shift. After October 2015, the party that has made investment in EMV deployment will be protected from financial liability for card-present fraud losses. Despite this date drawing near, progress in terms of chip card issuance and installation of EMV chip-compliant acceptance terminals remains slow. While some merchants and issuers have started towards chip readiness, the estimated 10 to 15 million chip cards issued to date2 represents less than 2 percent of U.S.-issued cards.

As breaches like Target and Neiman Marcus continue, consumers are becoming more aware of the vulnerabilities of magnetic stripe cards and will begin to demand more secure chip cards and retail locations where they can make chip-based payments. Now is the time for card issuers and merchants to move much more quickly towards a chip-based payments infrastructure.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.

Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S., Latin America, and the Caribbean. For more information please visit http://www.smartcardalliance.org.